Posted
by
timothy
on Saturday September 24, 2011 @02:35PM
from the see-enclosed-nude-document dept.

Trailrunner7 contributes this snippet from ThreatPost: "Malware that targets Mac OS X isn't anywhere near catching up to Windows-based malware in terms of volume and variety, but it seems that OS X malware may be adopting some of the more successful tactics that Windows viruses have been using to trick users. Researchers have come across a sample of an OS X-based Trojan that disguises itself as a PDF file, a technique that's been in favor among Windows malware authors for several years now."

This isn't a virus. It doesn't propagate; it's not even capable of communicating with its server once installed, so it's another one of these annual proof-of-concept social engineering attacks that anonymous Apple-haters latch onto and then promptly forget about a day later.

You can call things "brain-dead easy" all you want. The average user still won't use them, or even know they're there.

For the account stuff, you might have a point. They don't need to "know it's there" (unlike, say, the old Windows setup where you had to know about "Run as Administrator...") - but they do need to know what admin versus non-admin means. But really that's all they have to know. Even my 70+ year old mom was able to grok that.

As far as backups go, though - the first time you plug in an external hard drive, if backups haven't already been set up - OS X automatically asks "do you want to use this disk for backups?" The user doesn't need to go looking for anything. That's a pretty low bar.

It can add itself to your user files, which allow something to start "at boot", as long as that user is the one (auto)logging in.

You don't see much Windows malware adding itself to your "Startup" folder, but few average Mac users are going to check "command line files" to see whether something has injected something bad or not.

As TFA says, this isn't a PDF, but an executable merely pretending to be one.

It's a trojan, and it likely wouldn't even be sandboxed due to the ball-dropping there on Apple's part. It wouldn't be able to snoop some low level processes, but absolutely anything that is running under your user? Yup. Open ports to communicate with the mothership? Of course. Install a line to start whenever this user is logged in? Of course.

If you get a user dumb enough to allow admin privileges to a fake PDF, you can use officially sanctioned mechanisms to inject code into every process in the machine without requiring a separate 'trojan process' to stay alive to monitor it. Or just replace the operating system kernel.:p